Token expiration defines the limited lifespan of authentication and access tokens issued to users. These tokens are used for authentication and authorization, and once expired, users must re-authenticate to obtain new tokens.
This time-based mechanism enhances security by limiting how long a token remains valid, reducing the risk of misuse if compromised. Token lifespans are configurable based on your application’s security requirements.
After successful verification, the user authorizes the request and is redirected to your application with an authorization code. Your application then exchanges that code at ID.me’s token endpoint to retrieve an access token and a refresh token. The response payload includes expiration details for each token.
ID.me access tokens are short-lived for security purposes. While OAuth 2.0 recommends a maximum lifespan of ten minutes, ID.me tokens expire after five minutes (300 seconds) by default.
Access tokens are single-use. If a client attempts to reuse one, the request will be denied and the token revoked.
To adjust the expiration time for an access token, contact your ID.me solution consultant or email partnersupport@id.me.
ID.me recommends maintaining the five-minute expiration for access tokens to protect sensitive applications. If a token expires and continued access is needed, you can use the refresh_token from the payload to request a new access token without requiring the user to re-authenticate.
By default, ID.me sets the refresh token expiration to seven days (10,080 minutes). This duration can be adjusted through your ID.me solution consultant or by emailing partnersupport@id.me.
For a full walkthrough of the token exchange process and how tokens are used within the OAuth 2.0 flow, check out our OAuth 2.0 guide